forked from pivotal-cf/docs-pks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
manage-cluster-permissions.html.md.erb
296 lines (240 loc) · 12.7 KB
/
manage-cluster-permissions.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
---
title: Managing Cluster Access and Permissions
owner: PKS
---
<strong><%= modified_date %></strong>
This topic describes how to grant Kubernetes cluster access and namespace permissions to users in <%= vars.product_full %>.
## <a id='overview'></a> Overview
<%= vars.product_short %> admin users can grant other users permissions to specific clusters
by using the PKS CLI and kubectl.
If you are an <%= vars.product_short %> admin user, you can do the following:
+ Grant user access to a cluster with a `ClusterRole` or a namespace within a cluster with a `Role`.
See [Grant Cluster Access to a User](#cluster-access-user) below.
+ Grant LDAP or SAML group access to a cluster with a `ClusterRole` or a namespace within a cluster with a `Role`.
See [Grant Cluster Access to a Group](#cluster-access-group) below.
After you grant access, you must create a `ClusterRoleBinding` or a `RoleBinding` for the user you gave
access to the cluster.
For more information, see [RoleBinding and ClusterRoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) and [Default Roles and Role Bindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings) in the Kubernetes documentation.
## <a id='prerequisites'></a> Prerequisites
Before setting up cluster access for users in <%= vars.product_short %>, you must have the following:
* Access to an <%= vars.product_short %> admin user account. For information on how to create PKS admin users,
see [Managing Enterprise PKS Admin Users with UAA](manage-users.html).
* A PKS API fully qualified domain name (FQDN) of your PKS deployment.
* A LDAP or SAML identity provider configured by the operator in the <%= vars.product_tile %> tile.
## <a id='cluster-access-user'></a> Grant Cluster Access to a User
After the cluster admin grants cluster access to end users,
the Kubernetes end user can use the Kubernetes Command Line
Interface (kubectl) to connect to the cluster. End users can only do actions that are
permitted by the cluster admin. They cannot create, resize, or delete
clusters.
<p class='note'><strong>Note:</strong> Before you can grant cluster access to Kubernetes end users,
you must enable OpenID Connect (OIDC) by selecting
<strong>Enable UAA as OIDC provider
</strong> in <strong>Ops Manager Installation Dashboard</strong> > <strong>
<%= vars.product_tile %> </strong> > <strong> Settings </strong> > <strong>UAA</strong>.
After you enable OIDC, you must run <code>pks get-credentials</code>
to update your existing kubeconfig file.</p>
The following diagram outlines the workflow to grant cluster access to a
user who belongs to an identity provider group:
<%# Edit the below file in Google Slides: https://docs.google.com/presentation/d/1ULHunAy-FNiY3NYlRnvmydHJE6QtBpvlO4j-9PBoYTE/edit?usp=sharing %>
<a href="images/enterprise-id.png" target="_blank"><img src="images/enterprise-id.png" alt="This diagram shows the workflow that operators and cluster admins use to grant cluster access to users."></a>
To grant cluster access to users, do the following:
1. Log in to PKS by running following command:
```
pks login -u USERNAME -p PASSWORD -a PKS-API --ca-cert CERT-PATH
```
Where:
* `USERNAME` is your cluster admin username.
This is the username created for your organization's LDAP or SAML identity provider.
* `PASSWORD` is your cluster admin password.
* `PKS-API` is the FQDN you use to access the PKS API.
* `CERT-PATH` is the path to your root CA certificate.
Provide the certificate to validate the PKS API certificate with SSL.
<%= partial "saml-sso-login" %>
1. Confirm that you can successfully connect to a cluster and use
kubectl as a cluster admin by running the following command:
```
pks get-credentials CLUSTER-NAME
```
This step creates a `ClusterRoleBinding` for the cluster admin.
<%= partial "saml-sso-login" %>
1. When prompted, re-enter your password.
1. Create a YAML file with either the `Role` or `ClusterRole` for your Kubernetes end user.
Use the following example as a template:
```
kind: ROLE-TYPE
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: NAMESPACE
name: ROLE-OR-CLUSTER-ROLE-NAME
rules:
- apiGroups:
resources: RESOURCE
verbs: API-REQUEST-VERB
```
Where:
* `ROLE-TYPE` is the type of role you are creating. This must be either `Role` or `ClusterRole`.
* `NAMESPACE` is the namespace within the cluster. This is omitted when creating a `ClusterRole`.
* `ROLE-OR-CLUSTER-ROLE-NAME` is the name of the `Role` or `ClusterRole` you are creating.
This name is created by the cluster admin.
* `RESOURCE` is the resource you are granting access to.
It must be specified in a comma-separated array. For example: `["pod-reader"]`
* `API-REQUEST-VERB` is the request verb used to specify resource requests. For more information, see
[Determine the Request Verb](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb) in the Kubernetes documentation.
1. Create the `Role` or `ClusterRole` resource defined in your YAML file by running the following command:
```
kubectl create -f ROLE-CONFIGURATION.yml
```
Where `ROLE-CONFIGURATION.yml` is the YAML file you created in the above step.
1. Create a YAML file containing either a `ClusterRoleBinding` or a `RoleBinding`
for the Kubernetes end user.
Use the following example as a template:
```
kind: ROLE-BINDING-TYPE
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ROLE-OR-CLUSTER-ROLE-BINDING-NAME
namespace: NAMESPACE
subjects:
- kind: User
name: USERNAME
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ROLE-TYPE
name: ROLE-OR-CLUSTER-ROLE-BINDING-NAME
apiGroup: rbac.authorization.k8s.io
```
Where:
* `ROLE-BINDING-TYPE` is the type of role binding you are creating.
This must be either `RoleBinding` or `ClusterRoleBinding`.
* `ROLE-OR-CLUSTER-ROLE-BINDING-NAME` is the name of the role binding.
This is given by the cluster admin.
* `NAMESPACE` is the namespace within the cluster.
This is omitted when creating a `ClusterRole`.
* `USERNAME` is the Kubernetes end user username.
This is the username created for your organization's LDAP or SAML identity provider. <br>If you configured
**UAA OIDC Username Prefix** in **Ops Manager Installation Dashboard** > **Enterprise PKS** > **Settings**
> **UAA**, you must prepend `USERNAME` with the prefix you configured. For more information, see [UAA](./installing-pks-vsphere.html#uaa) in the _Installing_ topic for your IaaS.
* `ROLE-TYPE` is the type of role you created in the previous step.
This must be either `Role` or `ClusterRole`.
* `ROLE-OR-CLUSTER-ROLE-NAME` is the name of the `Role` or `ClusterRole` you are creating.
1. Create the `RoleBinding` or `ClusterRoleBinding` resource defined
in your YAML file by running following command:
```
kubectl apply -f ROLE-BINDING-CONFIGURATION.yml
```
Where `ROLE-BINDING-CONFIGURATION.yml` is the YAML file you created in the above step.
1. Share the following information with your Kubernetes end users:
- PKS API FQDN
- Cluster name
## <a id='obtain-cluster-access'></a> Obtain Cluster Access as a User
To obtain cluster access, the end user must perform the following actions:
1. Fetch the kubeconfig file by running one of the following command:
+ If you want to validate the PKS API certificate with SSL, run the following command:
```
pks get-kubeconfig CLUSTER-NAME -u USERNAME -a PKS-API --ca-cert CERT-PATH
```
Where:
* `CLUSTER-NAME` is the cluster name provided by the cluster admin.
* `USERNAME` is the Kubernetes end user username.
This is the username created for your organization's LDAP or SAML identity provider.
* `PKS-API` is the FQDN you use to access the PKS API.
* `CERT-PATH` is the path to your root CA certificate.
Provide the certificate to validate the PKS API certificate with SSL.
For example:
<pre class="terminal">$ pks get-kubeconfig my-cluster -u naomi -a api.pks.example.com \
--ca-cert /var/tempest/workspaces/default/root_ca_certificate</pre>
+ If your CA is trusted and you want to skip SSL validation, run the following command:
```
pks get-kubeconfig CLUSTER-NAME -u USERNAME -a PKS-API -k
```
Where `-k` is the shortcut flag to skip SSL validation.
For example:
<pre class="terminal">$ pks get-kubeconfig my-cluster -u naomi -a api.pks.example.com -k</pre>
<%= partial "saml-sso-login" %>
1. When prompted, enter your password.
1. The PKS CLI generates a kubeconfig for the cluster you have access to.
Review the following example kubeconfig file:
```
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: PROVIDED-BY-ADMIN
server: PROVIDED-BY-ADMIN
name: PROVIDED-BY-ADMIN
contexts:
- context:
cluster: PROVIDED-BY-ADMIN
user: PROVIDED-BY-USER
name: PROVIDED-BY-ADMIN
current-context: PROVIDED-BY-ADMIN
kind: Config
preferences: {}
users:
- name: PROVIDED-BY-USER
user:
auth-provider:
config:
client-id: pks_cluster_client
cluster_client_secret: ""
id-token: PROVIDED-BY-USER
idp-issuer-url: https://PROVIDED-BY-ADMIN:8443/oauth/token
refresh-token: PROVIDED-BY-USER
name: oidc
```
1. Access the cluster using kubectl. For more information about kubectl commands,
see [Overview of kubectl](https://kubernetes.io/docs/reference/kubectl/overview/)
in the Kubernetes documentation.
## <a id='cluster-access-group'></a> Grant Cluster Access to a Group
Cluster admins can grant access to an identity provider group by creating a `ClusterRoleBinding` or
`RoleBinding` for that group. You can only grant access to an identity provider group
if you use a LDAP or SAML identity provider for UAA.
You can configure a LDAP or SAML identity provider in
<strong>Ops Manager Installation Dashboard</strong> >
<strong> <%= vars.product_tile %> </strong> > <strong> Settings </strong> > <strong>UAA</strong>.
<p class='note'><strong>Note:</strong> If you are using a LDAP group,
you must confirm that the LDAP group you are
giving access to has been whitelisted in the
<%= vars.product_tile %> tile.
To do this, review <strong>External Groups Whitelist</strong> in
<strong>Ops Manager Installation Dashboard</strong> > <strong>
<%= vars.product_tile %> </strong> > <strong> Settings </strong> > <strong>UAA</strong>.</p>
The procedure for granting cluster access to an identity provider group is similar to the
procedure in [Grant Cluster Access to a User](#cluster-access-user) above.
To grant cluster access to an identity provider group,
do the procedure in [Grant Cluster Access to a User](#cluster-access-user) above
and replace step 6 with the following:
1. In the YAML file for a `ClusterRoleBinding` or a `RoleBinding`, replace the `subjects` section
with the following:
```
subjects:
- kind: Group
name: NAME-OF-GROUP
apiGroup: rbac.authorization.k8s.io
```
Use the following example as a template:
```
kind: ROLE-BINDING-TYPE
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ROLE-OR-CLUSTER-ROLE-BINDING-NAME
namespace: NAMESPACE
subjects:
- kind: Group
name: NAME-OF-GROUP
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ROLE-TYPE
name: ROLE-OR-CLUSTER-ROLE-BINDING-NAME
apiGroup: rbac.authorization.k8s.io
```
Where:
* `ROLE-BINDING-TYPE` is the type of role binding you are creating. This must be either `RoleBinding` or `ClusterRoleBinding`.
* `ROLE-OR-CLUSTER-ROLE-BINDING-NAME` is the name of the role binding. This is given by the cluster admin.
* `NAMESPACE` is the namespace within the cluster. This is omitted when creating a `ClusterRole`.
* `NAME-OF-GROUP` is the identity provider group name. This name is case sensitive. <br>If you configured
**UAA OIDC Groups Prefix** in **Ops Manager Installation Dashboard** > **Enterprise PKS** > **Settings**
> **UAA**, you must prepend `NAME-OF-GROUP` with the prefix you configured. For more information, see [UAA](./installing-pks-vsphere.html#uaa) in the _Installing_ topic for your IaaS.
* `ROLE-TYPE` is the type of role you created in the previous step.
This must be either `Role` or `ClusterRole`.
* `ROLE-OR-CLUSTER-ROLE-NAME` is the name of the `Role` or `ClusterRole` you are creating.